how to use a domain name to create a vpn

There may be occasions where you need to join an off-site computer to an existing domain at a remote office. Most often this would be in a situation such as a satellite office which is part of a larger corporate network and there is a site-to-site VPN in place. Though a site-to-site VPN is by far the easiest way to join, it can be done using a Windows VPN client, which will be discussed further on in this article. The primary problem encountered when joining the domain is DNS, but this is easily dealt with.

Joining the domain using a site-to-site VPN

Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection. If any others exist such as a wireless card, disable until domain joined. On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.
Configure the connecting PC's network adapter either statically or through DHCP to point ONLY to the domain controller at the corporate office for DNS. Do not add an alternate external DNS server such as an ISP or router as these will often respond first and name resolution will fail.
In the NIC configuration, under Internet Protocol Version 4 (TCP/IPv4) properties, click advanced, and under the DNS tab insert the corporate internal DNS suffix, such as CompanyDomain.local in the box entitled "DNS suffix for this connection"
Then join the domain using the traditional method of Computer (formerly My Computer) | Properties | Change Settings | Change | enter the internal domain name | click OK | and you should be prompted for credentials for an account authorized to do so, a Domain Admin account. If the Domain Controller is a version of Small Business Server the SBS option to use http://SBSname/connectcomputer or http://connect most often will not work. (more detail and screen shots for the joining the domain process can be found below in the using a VPN client section).
If you wish to simultaneously import an existing local user profile, you can use ProfWiz as outlined in the following link which will both join the domain and move the profile. Though the article references SBS, it can be used with any Windows Server Version. https://blog.lan-tech.ca/2011/05/19/sbs-and-profwiz/

Joining the domain using a Windows VPN client

Joining a domain using a VPN client is a little more involved, but not complicated. This method may work with other VPN clients, so long as they have the option to connect to the VPN before logon, but this explanation uses only the Windows built-in VPN client. Without the ability to connect before logon, there is very little advantage even if you can join the domain, as you would not actually be authenticating to the domain. I will assume the server end, RRAS, is configured and working for VPN client connections.

Log on to the PC you wish to join the domain with a local administrator account
Only 1 network adapter can be enabled on the PC joining the domain, and preferably a wired connection. If any others exist such as a wireless card, disable until domain joined. On occasion Bluetooth adapters will also conflict, so I recommend disabling them as well.

Establish a VPN connection . If not familiar with doing so:

Presumably you were able to establish a connection. However while connected if you did an NSlookup from a command line for the server name, you will see it fails. Try an NSlookup for the FQDN of the server, and it will succeed. Thus, we need to configure DNS for the VPN client before proceeding.

Now you can try joining the domain

In order to authenticate to the corporate network at logon and work as if on the corporate LAN, you need to connect the VPN before logging on to the PC . When the PC reboots press Ctrl+Alt+Delete as you normally would, and then choose "Switch User"

Note: If connecting from Windows 8, please see the following updated article: https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/

Depending on the performance of the VPN connection , it is sometimes necessary for the network administrator to "tweak" a few Group Policies for slow network detection. The following policies can assist with this:

Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:

Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed

Server 2003 / SBS 2003 / SBS 2003 R2:

Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed

Toast For Our Tables